BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION 10-701 18 OCTOBER 2007 ACCESSIBILITY: AIR FORCE SPACE COMMAND Supplement 17 MARCH 2008 Operations OPERATIONS SECURITY (OPSEC) COMPLIANCE WITH THIS PUBLICATION IS MANDATORY Publications and forms/imts are available for downloading or ordering on the e-publishing website at www.e-publishing.af.mil. RELEASABILITY: There are no releasability restrictions on this publication. OPR: AF/A3O-CI Certified by: AF/A3O (Maj Gen (S) Gibson) Supersedes AFI10-701, 30 September 2005 Pages: 50 (AFSPC) OPR: A3DI Certified by: A3D (Colonel Joseph P. Squatrito) Pages: 12 This publication implements Air Force Policy Directive (AFPD) 10-7, Air Force Information Operations, September 6, 2006; and DOD Directive 5205.02, DOD Operations Security Program, March 6, 2006, and Joint Publication 3-13.3, Operations Security, June 29, 2006. The reporting requirements in this publication are exempt from licensing in accordance with AFI 33-324 paragraph 2.11.1, The Information Collections and Reports Management Program; Controlling Internal, Public, and Interagency Air Force Information Collections. It applies to all Major Commands (MAJCOM), Field Operating Agencies (FOA), Direct Reporting Units (DRU), Air National Guard (ANG) units and Air Force Reserve Command (AFRC). Any reference to wing-level OPSEC program management applies to wing and wing-equivalent organizations such as agency directorates, tenant units, numbered Air Force units and centers of excellence. This publication provides guidance for all Air Force personnel (military and civilian) and supporting contractors in implementing, maintaining and executing OPSEC programs. It describes the OPSEC process and discusses integration of OPSEC into Air Force plans, operations and support activities. Refer recommended changes and questions about this publication to the Office of Primary Responsibility (OPR) using the AF IMT 847, Recommendation for Change of Publication; route AF IMT 847s from the field through MAJCOM publications/forms managers. Ensure that all records created as a result of processes prescribed in this publication are maintained in accordance with AFMAN 37-123, (will convert to 33-363) Management of Records and disposed of in accordance with the Air Force Records Disposition Schedule (RDS) located at https://afrims.amc.af.mil/. The use of the name or mark of any specific manufacturer, commercial product, commodity, or service in this publication does not imply endorsement by the Air Force
2 AFI10-701_AFSPCSUP_I 17 MARCH 2008 (AFSPC) This supplement implements and extends the guidance of Air Force Instruction (AFI) 10-701, Operations Security (OPSEC). This supplement describes AFSPC s procedures for use in conjunction with the basic AFI. This supplement applies to Headquarters Air Force Space Command (AFSPC), its numbered air forces (NAF) and their assigned wings and squadrons, AFSPC direct reporting units (DRU), and Air National Guard (ANG) units 119 CACS, 137 SWS, and 153 CACS within AFSPC. Refer recommended changes and questions about this publication to the Office of Primary Responsibility (OPR) using the AF IMT 847, Recommendation for Change of Publication; route AF IMT 847s from the field through the appropriate functional s chain of command. Ensure that all records created as a result of processes prescribed in this publication are maintained in accordance with AFMAN37-123 (will convert to AFMAN33-363), Management of Records, and disposed of in accordance with the Air Force Records Disposition Schedule (RDS) located at https://afrims.amc.af.mil/. SUMMARY OF CHANGES This document has been substantially revised and must be completely reviewed. Chapter 1 GENERAL 4 1.1. General:... 4 1.2. Operational Context:... 4 1.3. Purpose:... 4 1.4. Roles and Responsibilities:... 5 Chapter 2 OPSEC PROCESS 14 2.1. General:... 14 2.2. Identify Critical Information:... 14 2.3. Analyze Threats:... 14 2.4. Analyze Vulnerabilities:... 15 2.5. Assess Risk:... 15 2.6. Apply OPSEC Measures:... 15 Chapter 3 OPSEC PLANNING 16 3.1. General.... 16 3.2. Operational Planning.... 16 3.3. Support Planning.... 16 3.4. Exercise Planning.... 16 3.5. Acquisition Planning.... 16
AFI10-701_AFSPCSUP_I 17 MARCH 2008 3 Chapter 4 OPSEC AWARENESS EDUCATION AND TRAINING 18 4.1. General.... 18 4.2. All Personnel:... 18 4.3. OPSEC Program Managers, Coordinators, and Planners:... 18 Chapter 5 OPSEC ASSESSMENTS 20 5.1. General:... 20 5.2. OPSEC Program Self-Assessment:... 20 5.3. Staff Assistance Visit (SAV):... 20 5.4. Survey:... 20 5.5. Support Capabilities:... 21 5.6. Annual Assessment Reporting:... 21 Table 5.1. OPSEC Assessment Types and Support Capabilities... 22 Chapter 6 AIR FORCE OPSEC ANNUAL AWARDS PROGRAM 23 6.1. General:... 23 Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 24 Attachment 2 ANNUAL OPSEC PROGRAM REPORT 29 Attachment 3 SAMPLE OPSEC SELF-ASSESSMENT CHECKLIST 37 Attachment 4 (Added-AFSPC) ROADMAP TO GOOD OPSEC 43 Attachment 5 (Added-AFSPC) OPSEC PLAN FORMAT 45 Attachment 6 (Added-AFSPC) CONTINUITY BINDER INFORMATION 46 Attachment 7 (Added-AFSPC) WING/NAF/DRU OPSEC WORKING GROUP (OWG) 48 Attachment 8 (Added-AFSPC) SOURCES OF OPSEC INDICATORS 49
4 AFI10-701_AFSPCSUP_I 17 MARCH 2008 Chapter 1 GENERAL 1.1. General: 1.1.1. OPSEC is a military capability within Information Operations (IO). IO is the integrated employment of three operational elements: influence operations (IFO), electronic warfare operations and network warfare operations. IO aims to influence, disrupt, corrupt, or usurp adversarial human or automated decision-making while protecting our own. IFO employs core military capabilities of psychological operations (PSYOP), OPSEC, military deception (MILDEC), counterintelligence (CI) operations, public affairs (PA) operations and counterpropaganda operations to affect behaviors, protect operations, communicate commander s intent and project accurate information to achieve desired effects across the battle space. OPSEC s desired affect is to influence the adversary s behavior and actions by protecting friendly operations and activities. 1.2. Operational Context: 1.2.1. Operational Focus. The OPSEC program is an operations function or activity and its goals are information superiority and optimal mission effectiveness. The emphasis is on OPERATIONS and the assurance of effective mission accomplishment. To ensure effective implementation across organizational and functional lines the unit OPSEC program managers (PM) or coordinators will reside in the operations and/or plans element of an organization or report directly to the commander. For those units with no traditional operations or plans element, the commander must decide the most logical area to place management and coordination of the unit s OPSEC program while focusing on operations and the mission of the unit. 1.2.2. Operational effectiveness is enhanced when commanders and other decision-makers apply OPSEC from the earliest stages of planning. OPSEC involves a series of analyses to examine the planning, preparation, execution and post execution phases of any operation or activity across the entire spectrum of military action and in any operational environment. OPSEC analysis provides decision-makers with a means of weighing how much risk they are willing to accept in particular operational circumstances in the same way as operations risk management allows commanders to assess risk in mission planning. 1.2.3. OPSEC must be closely integrated and synchronized with other IFO capabilities, security disciplines, and all aspects of protected operations (see references listed in Attachment 1). 1.3. Purpose: 1.3.1. The purpose of OPSEC is to reduce the vulnerability of Air Force missions from successful adversary collection and exploitation of critical information. OPSEC applies to all activities that prepare, sustain, or employ forces during all phases of operations. 1.3.2. OPSEC Definition. OPSEC is a process of identifying, analyzing and controlling critical information indicating friendly actions associated with military operations and other activities to: 1.3.2.1. Identify those actions that can be observed by adversary intelligence systems. 1.3.2.2. Determine what specific indications could be collected, analyzed, and interpreted to derive critical information in time to be useful to adversaries.
AFI10-701_AFSPCSUP_I 17 MARCH 2008 5 1.3.2.3. Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. 1.4. Roles and Responsibilities: 1.4.1. Air Force organizations must develop and integrate OPSEC into their planning to ensure critical information and indicators are identified. The Air Force will integrate OPSEC into military strategy, operational and tactical planning and execution, military indoctrination, support activities, contingency, combat and peacetime operations and exercises, communications-computer architectures and processing, weapons systems Research, Development, Test and Evaluation (RDT&E), Air Force specialized training, inspections, acquisition and procurement, and professional military education. Although the OPSEC program helps commanders make and implement decisions, the decisions are the commander s responsibility. Commanders must understand the risk to the mission and then determine which OPSEC measures are required. 1.4.2. Headquarters, United States Air Force (HQ/USAF). The Deputy Chief of Staff for Operations, Plans and Requirements (AF/A3/5) is the office of primary responsibility (OPR) for implementing DOD OPSEC policy and guidance. This responsibility is assigned to the Director of Operations (AF/A3O). AF/A3O will: 1.4.2.1. Establish an AF OPSEC program focused on senior leadership involvement using the management tools of assessments, surveys, training, education, threat analyses, resourcing, and awareness that, at a minimum, includes: 1.4.2.1.1. Assigning a full-time AF OPSEC PM (O-4 or YA-03) and ensuring AF OPSEC forces are aligned with the AF IO Career Force Plan once it has been fully established. 1.4.2.1.2. Establishing AF OPSEC support capabilities that provide for program development, planning, training, assessment, surveys, and readiness training. 1.4.2.1.3. Conducting annual reviews and validations of the AF OPSEC program as prescribed by DOD and AF policy/guidance. 1.4.2.1.4. Ensuring OPSEC surveys are conducted for subordinate commands and agencies at least once every three years in order to enhance mission effectiveness. 1.4.2.2. Develop Air Force Departmental publications to define policy, guidance, responsibilities, authorities and establish the internal management processes necessary to carry out DOD policy/ guidance. Provide copies of all current service OPSEC program directives and/or policy implementation documents to J-3. 1.4.2.3. Support OPSEC programs at the national, DOD and Joint-level as necessary. 1.4.2.4. Centrally program and manage training for the Air Force OPSEC program. 1.4.2.5. Provide oversight, advocacy and act as the focal point for AF OPSEC assessment capabilities. 1.4.2.6. Ensure appropriate levels of standardized OPSEC training and education are established and provided to all AF personnel to include civil servants and to those contractors who have access to mission critical information. 1.4.2.7. Ensure government contract requirements properly reflect OPSEC requirements.
6 AFI10-701_AFSPCSUP_I 17 MARCH 2008 1.4.2.8. Ensure OPSEC policy development activities are integrated through the Air Force Security Policy and Oversight Board (AFSPOB). 1.4.3. The Secretary of the Air Force Office of Warfighting Integration and Chief Information Officer (SAF/XC): 1.4.3.1. Ensures OPSEC principles are included in information assurance (IA) policy, guidance, and operational oversight. 1.4.3.2. Ensures OPSEC principles and practices are correctly reflected in the AF Enterprise Architecture. 1.4.4. The Office of the Secretary of the Air Force, Public Affairs (SAF/PA) provides policy and guidance to ensure OPSEC is considered in the public affairs processes to release information to the public. 1.4.5. The Assistant Secretary of the Air Force, Acquisition (SAF/AQ) provides policy and guidance to ensure OPSEC is considered in AF acquisition and RDT&E. 1.4.6. The Administrative Assistant to the Secretary of the Air Force (SAF/AA) provides coordination and integration of OPSEC policy and guidance through the AFSPOB. 1.4.7. Air Force MAJCOMs, FOAs, and DRUs will: 1.4.7.1. Implement AF OPSEC policy to incorporate and institutionalize OPSEC concepts into relevant doctrine, policies, strategies, programs, budgets, training, exercising, and evaluation methods. At the base/installation level, FOAs and DRUs will comply with host MAJCOM and wing guidance. 1.4.7.2. Develop effective OPSEC programs IAW guidance issued by AF/A3O. 1.4.7.3. Designate an organization as the OPR for OPSEC and appoint a full-time OPSEC PM position (O-3/4 or YA-02/03) IAW the AF IO Career Force plan once it has been fully established. This position should be placed within the operations or plans element (unless MAJ- COM mission and/or structure requires otherwise) and serve as the POC for all OPSEC related issues between headquarters Air Force and the command. DRUs and FOAs may request an exemption to appointing a full-time OPSEC PM position by submitting a waiver signed by the commander to the AF OPSEC PM with justification for the request. 1.4.7.4. Ensure OPSEC PMs have at a minimum a secret clearance and access to SIPRNET, NIPRNET and organizational email accounts. 1.4.7.5. Develop policy and issue implementing supplements or other guidance as required. 1.4.7.6. Consolidate OPSEC requirements and submit them to the AF IO requirements and analysis working group for inclusion into the Air Force IO Capabilities Plan. 1.4.7.7. Ensure subordinate organizations consistently apply and integrate OPSEC into day-to-day operations and/or other IO activities throughout the command. 1.4.7.8. Ensure all subordinate units are identifying critical information for each operation, activity and exercise whether it be planned, conducted, or supported. 1.4.7.9. Ensure all subordinate units are controlling critical information and indicators.
AFI10-701_AFSPCSUP_I 17 MARCH 2008 7 1.4.7.10. Ensure all subordinate units plan, exercise and implement OPSEC measures as appropriate. 1.4.7.11. Program funds for OPSEC through established budgeting and requirements processes. 1.4.7.12. Ensure OPSEC considerations are applied in capabilities development and the acquisition process. 1.4.7.13. Ensure training of OPSEC PMs and planners at wing-level and above is accomplished as soon as possible upon being appointed. 1.4.7.13. (AFSPC) OPSEC PMs at wing-level and above will report their attendance of the Air Force OPSEC PM training or any other formal OPSEC training (i.e. IOSS or other service courses) within 7 days after completion. Units will submit their reports to headquarters, such that NAFs will correlate data from wings and submit to the MAJCOM OPSEC PM. OPSEC PM alternates should also attend training when funding is available. Training should be accomplished within 90 days of appointment. 1.4.7.14. All OPSEC PMs and planners will be assigned an OPSEC special experience identifier (SEI) when the AF IO Career Force is fully established. SEIs will drive future training allocations upon receipt of orders or upon assignment to units with SEI coded positions. 1.4.7.15. Develop and cultivate the intelligence and CI relationships necessary to support OPSEC programs. 1.4.7.16. Serve as the focal point for MAJCOM-level OPSEC assessments, surveys and support capabilities. 1.4.7.17. Ensure OPSEC considerations are included in annual unclassified public web page reviews and in the approval process for posting new data to AF public and private web sites. 1.4.7.17. (AFSPC) Ensure web page review metrics are included in the annual report. See Attachment 2 for example metrics. 1.4.7.18. Ensure assistance is provided to wing public affairs (PA) office as needed to ensure OPSEC considerations are included in PA review and approval processes for publishing/releasing information to the public. 1.4.7.19. Forward annual self-assessment report for the fiscal year period of 1 Oct - 30 Sep, to the AF OPSEC PM (AF/A3O-CI) NLT 31 October each year (See Attachment 2) 1.4.7.20. Ensure OPSEC related briefings or presentations to be given outside the MAJCOM are coordinated through the Air Force OPSEC PM, AF/A3O-CI, prior to the presentation date. 1.4.8. Air Combat Command (ACC) will: 1.4.8.1. Organize, train, and equip assigned forces to plan and execute OPSEC in a theater of operations for Joint or combined operations in the roles of aerospace control, force application, force enhancement, and force support. 1.4.8.2. Develop, document, and disseminate OPSEC tactics, techniques, and procedures (TTP) for the Combat Air Forces (CAF). 1.4.8.3. Integrate OPSEC into the Air and Space Operations Center (AOC) construct. 1.4.8.4. Provide capabilities to meet Air Force OPSEC assessment requirements.
8 AFI10-701_AFSPCSUP_I 17 MARCH 2008 1.4.8.5. Develop, maintain, program for, and provide Air Force OPSEC initial qualification training. 1.4.8.6. Coordinate with the Air Force Experimentation Office to incorporate Air Force OPSEC initiatives into Joint/Air Force experimentation, traditional and spiral development acquisition activities. 1.4.9. Air Mobility Command (AMC) will: 1.4.9.1. Lead centralized management of OPSEC functions and the establishment and integration of OPSEC in Mobility Air Force operations. 1.4.9.2. Develop Mobility Air Force (MAF) OPSEC TTPs. 1.4.9.3. Integrate OPSEC into the AMC AOC construct. 1.4.9.4. Develop functional area and functional needs analysis for MAF and submit through the AF capabilities based planning process. 1.4.9.5. Centrally program for MAF OPSEC capabilities. 1.4.10. Air Force Material Command (AFMC) will: 1.4.10.1. Ensure OPSEC is integrated into all RDT&E efforts. When critical information is involved ensure OPSEC is applied throughout the life cycle of all weapon systems. 1.4.11. Air Education and Training Command (AETC) will: 1.4.11.1. Provide OPSEC orientation for all new Air Force accessions to include what OPSEC is, its purpose, threat awareness, and the individual's role in protecting critical information. 1.4.11.2. Incorporate OPSEC education into all professional military education. At a minimum, this will include the purpose of OPSEC, critical information, indicators, threats, vulnerabilities, and the individual's role in protecting critical information. 1.4.11.3. Incorporate OPSEC concepts and capabilities into specialized courses, such as the Contingency Wartime Planning Course, Joint Air Operations Planning Course, and the Information Warfare Application Course. These courses will include command responsibilities and responsibilities of OPSEC planners in Joint Forces Command IO Cells and MAJCOMs. 1.4.11.4. Ensure OPSEC is addressed in all technical and specialty school programs. 1.4.11.5. Establish a validation process to ensure AF/A3O-CI, reviews all AETC OPSEC training materials used in accession and professional military education. 1.4.12. Air Force Office of Special Investigations (AFOSI) will: 1.4.12.1. Provide OPSEC PMs, coordinators and unit commanders with AFOSI local threat information. 1.4.12.2. Provide counterintelligence vulnerability support when possible for OPSEC assessments. 1.4.13. US Air Force Academy will provide OPSEC orientation for all new Air Force accessions to include what OPSEC is, its purpose, threat awareness, and the individual's role in protecting critical information.
AFI10-701_AFSPCSUP_I 17 MARCH 2008 9 1.4.14. Academy of Military Science will provide OPSEC orientation for all new Air Force accessions to include what OPSEC is, its purpose, threat awareness, and the individual's role in protecting critical information. 1.4.15. Commanders will: 1.4.15.1. Issue policy and guidance to all assigned personnel to ensure OPSEC is integrated into day-to-day and contingency operations. Commanders may delegate authority for OPSEC program management, but retain responsibility for risk management decisions and the overall implementation of OPSEC measures. They must determine the balance between OPSEC measures and operational needs. 1.4.15.2. Appoint in writing a primary and alternate OPSEC PM or coordinator and forward to higher headquarters (HHQ) OPSEC PM. OPSEC PMs will be assigned for a minimum of 18 months. Organizations where an assignment is less than 18 months will request, in writing, a waiver through their MAJCOM OPSEC PM from AF/A3O-CI. Once the AF IO Career Force Plan has been fully established, OPSEC PMs, coordinators and planners will be assigned to manpower billets IAW the AF IO Career Force Plan. 1.4.15.2. (AFSPC) Forward a copy of all OPSEC program manager/alternate and OPSEC coordinator/alternate appointment letters via hardcopy fax or E-mail softcopy to the AFSPC/A3DI within 7 days of appointment. When an OPSEC PM, coordinator or alternate is scheduled to PCS, the Commander will identify a replacement within 60 days of the absence and forward a new signed appointment letter no later than 30 days prior to the departure date. This will assist in maintaining the continuity of the OPSEC program, allow lead time to schedule personnel for training, and ensure the unit is still capable of responding to OPSEC directives from HHQ. 1.4.15.3. Ensure OPSEC is integrated into planning efforts to increase mission effectiveness. Ensure organizational planners are trained to incorporate OPSEC into all functional areas of plans. 1.4.15.3. (AFSPC) Approve a written OPSEC Plan. Plans will utilize the format in Attachment 5 (Added). 1.4.15.4. Ensure critical information lists (CIL) are developed and procedures are in place to control critical information and their indicators. 1.4.15.5. Ensure OPSEC assessments are conducted to support operational missions. 1.4.15.6. Establish OPSEC working groups (OWG) at the wing-level and above. In addition, an ad-hoc OWG will be established for any large-scale operation or exercise. NOTE: Refer to AFTTP 3-1.36, Information Warfare Planning, Integration, and Employment Considerations (U), Attachment 5 for additional guidance to include OWG composition and responsibilities. 1.4.16. OPSEC PMs: Are assigned at the wing-level and above and will: 1.4.16.1. Manage the organization s OPSEC program. 1.4.16.2. Advise the commander on all OPSEC-related matters, to include developing and recommending OPSEC policy, guidance, and instructions. Review periodically for currency and update as necessary. 1.4.16.3. Have at a minimum a secret clearance and access to SIPRNET, NIPRNET and organizational email accounts.
10 AFI10-701_AFSPCSUP_I 17 MARCH 2008 1.4.16.4. Develop, maintain, and monitor the execution of the organization s OPSEC program. 1.4.16.5. Ensure OPSEC is incorporated into organizational plans, exercises, and activities. 1.4.16.5. (AFSPC) Manage the integration of OPSEC into military strategy, operational and tactical planning and execution, military indoctrination, support activities, contingency, combat and peacetime operations and exercises, communications-computer architectures and processing, weapons systems Research, Development, Test and Evaluation (RDT&E), Air Force specialized training, inspections, acquisition and procurement, and professional military education. 1.4.16.6. Develop and implement commander s OPSEC policy and critical information list. 1.4.16.7. Ensure OPSEC is integrated into IO, IFO and other supporting capabilities. 1.4.16.8. Ensure procedures are in place to control critical information and indicators to include compiling subordinate organization critical information for consolidation into command critical information lists. 1.4.16.9. Participate in annual multi-disciplinary web page review boards as outlined in AFI 33-129, Web Management and Internet Use, Para 3.9.1. Note: OPSEC PMs develop policy to be used by web page review boards. OPSEC PMs will answer questions concerning protecting critical information and when required will coordinate OPSEC reviews of public and/or restricted web pages. 1.4.16.9. (AFSPC) Conduct an annual review of all web pages and all internet/web-based bulletin boards (blogs) by 01 October to ensure a proper risk assessment can be made prior to forwarding the annual self-assessment data/report to HHQ. Ensure web page review metrics are included in the annual report (See Attachment 2). 1.4.16.10. Assist wing PA office as needed to ensure OPSEC considerations are included in PA review and approval processes for publishing/releasing information to the public; to include but not limited to printed and televised media. OPSEC PMs will develop policy to be used by PA and provide advice concerning protecting critical information. 1.4.16.11. Provide management, development, and oversight of appropriate OPSEC training and ensure training is provided to subordinate coordinators and OWG members. 1.4.16.12. Ensure unit deployment managers (UDM) add OPSEC awareness training as a mandatory UDM requirement for deploying personnel. 1.4.16.13. Ensure annual OPSEC self-assessments are conducted (See attachment 3) by subordinate units for the fiscal year period (1 Oct - 30 Sep) and results forward via annual self-assessment report through MAJCOM to reach AF/A3O-CI NLT 31 October each year. Annual self-assessment reports will be maintained on file for at least 1 year after the end of each fiscal year. 1.4.16.13. (AFSPC) Forward annual OPSEC self-assessments to AFSPC/A3DI via E-mail softcopy by 15 October of each year using the template in Attachment 2. 1.4.16.14. Chair OWG. The OWG will consist of representatives from the appropriate IO and security disciplines and applicable supporting organizations. NOTE: Refer to AFTTP 3-1.36, Attachment 5 for additional guidance to include OWG composition and responsibilities. 1.4.16.14. (AFSPC) See Attachment 7 (Added) for OWG guidelines.
AFI10-701_AFSPCSUP_I 17 MARCH 2008 11 1.4.16.15. Coordinate and facilitate OPSEC assessments such as surveys, annual self-assessments, and vulnerability assessments as listed in Chapter 5. 1.4.16.16. Serve as the focal point for OPSEC support capabilities as listed in Chapter 5. 1.4.16.17. Conduct Staff Assistance Visits (SAV) on subordinate units as required or requested. 1.4.16.18. Submit request for intelligence (RFI) information to the appropriate intelligence organization to ensure OPSEC PMs and planners receive timely intelligence threat briefings and/or updates to determine OPSEC implications. 1.4.16.19. Coordinate and integrate OPSEC initiatives with tenant unit OPSEC PMs/coordinators even though administrative oversight of the tenant unit s program still resides with their respective MAJCOM. 1.4.16.20. Serve on exercise evaluation teams (EET) to observe and evaluate mission profiles and signatures, as well as OPSEC measures of performance (MOPs) that assess the organizations ability to mitigate loss of critical information. OPSEC PMs will also evaluate how unit personnel execute OPSEC measures. Any deficiencies or best practices will be submitted in after action reports and to the AF lessons learned database (https://afknowledge.langley.af.mil/afcks/). Lessons learned will be used to develop tactics improvement proposals (TIPs) IAW AFI 10-204, Readiness Exercises and After-Action Reporting Program, and AFI 11-260, Tactics Development Program. 1.4.16.21. (Added-AFSPC) Ensure and assist subordinate OPSEC coordinators to provide mission-oriented OPSEC education and awareness training to all personnel. 1.4.16.22. (Added-AFSPC) Ensure inputs to the Program Objective Memorandum (POM) are submitted to HQ AFSPC/A3DI by 01 October. This includes funds for training and OPSEC Program execution. 1.4.16.23. (Added-AFSPC) Coordinate with other security Program Managers (COMSEC, COMPUSEC, Force Protection, INFOSEC, etc.) at your command level to incorporate OPSEC concepts and lessons learned into their security training sessions. 1.4.17. OPSEC coordinators: Are assigned in writing at each subordinate organization below the wing-level (MAJCOM, ANG, FOA, and DRUs also require coordinators within HQ directorates, as appropriate) and will: 1.4.17.1. Have at least a minimum secret clearance, possess a NIPRNET and access to an organizational email and SIPRNET accounts. 1.4.17.2. Advise commander on all OPSEC matters to include developing and recommending policy, guidance, instructions, and measures. 1.4.17.3. Tenant unit OPSEC coordinators will closely coordinate and integrate with host wing OPSEC initiatives and working groups. However, administrative oversight of the tenant unit s program still resides with their HHQ OPSEC PM. If the host wing has an OPSEC working group, the coordinator will seek representation in it. 1.4.17.4. Incorporate OPSEC into organizational plans, exercises, and activities. 1.4.17.5. Develop, implement, and distribute commander s OPSEC policy and critical information list. Review periodically for currency and update as necessary.
12 AFI10-701_AFSPCSUP_I 17 MARCH 2008 1.4.17.6. Ensure procedures are in place to control critical information and indicators and are reviewed periodically for effectiveness. 1.4.17.7. Utilize assessment results to correct discovered vulnerabilities and aid organization OPSEC awareness efforts. 1.4.17.8. Ensure OPSEC reviews are conducted on all organizational web pages prior to the information being posted, updated, or modified. 1.4.17.8. (AFSPC) Ensure web page review metrics are included in the annual self-assessment report. See Attachment 2 for example metrics. 1.4.17.9. Conduct OPSEC reviews of information submitted for publication or release to the public. This could include, but is not limited to base newspapers, safety magazines, flyers, web pages, television interviews and information for news articles. 1.4.17.10. Coordinate with appropriate organizations and wing senior leadership to resolve/mitigate AF OPSEC assessment findings as required. 1.4.17.11. Provide management of unit s OPSEC training and ensure initial OPSEC awareness training is accomplished upon arrival of newly assigned personnel and annual refresher OPSEC training thereafter. 1.4.17.12. Coordinate, facilitate, and conduct OPSEC assessments such as surveys, annual self-assessments (See Attachment 3), and vulnerability assessments as listed in Chapter 5. Forward annual self-assessment reports for the period of 1 Oct through 30 Sep each fiscal year to HHQ OPSEC PM according to MAJCOM guidance. 1.4.17.12. (AFSPC) Conduct and report annual OPSEC self-assessments to the respective wing or HHQ OPSEC Program Manager as appropriate NLT 01 October of each year. Annual self assessments will utilize the template in Attachment 2 and will be sent via E-mail softcopy. 1.4.17.13. Serve as the focal point for OPSEC support capabilities as listed in Chapter 5. 1.4.17.14. (Added-AFSPC) Submit a unit annual OPSEC budget request to HHQ by 01 October. 1.4.18. (Added-AFSPC) Specific AFSPC OPSEC policies. 1.4.18.1. (Added-AFSPC) Out-of-Office E-Mail/Voicemail. Use of out-of-office e-mail reply and voicemail tool(s) are permitted with restrictions. Personnel will screen their replies to ensure it doesn t contain any information that violates good OPSEC practices. 1.4.18.1.1. (Added-AFSPC) Examples of prohibited out-of-office e-mail/voicemail information are: Exact deployment/leave/tdy dates, deployment/leave/tdy locations, description/ nature of absence, or any personal details that might lead to exploitation. 1.4.18.1.2. (Added-AFSPC) Example of a properly formatted out-of-office e-mail/voicemail reply is as follows: I m currently out of the office. In case of an emergency please contact me on my cell phone at XXX-XXXX. For routine program inquiries please contact MSgt Jones at XXX-XXXX and for all other branch requests please contact Maj Smith at XXX-XXXX. 1.4.18.2. (Added-AFSPC) 100% Shred policy. Whenever feasible, all unclassified paper products across AFSPC, except for newspapers and magazines, will be shredded prior to disposal or removal from the workplace for recycling, preventing our adversaries from exploiting the enormous amounts of crucial information we generate while accomplishing our various mission areas.
AFI10-701_AFSPCSUP_I 17 MARCH 2008 13 If for some reason the material cannot be shredded, units are required to find an alternate method of destruction that ensures no information can be obtained from any of the products. 1.4.18.2.1. (Added-AFSPC) Shredder specifications. Units may utilize any shredder cleared for the destruction of classified material. If no classified shredders are accessible or available, organizations will obtain a shredder with a 3/8 crosscut or better for the destruction of their unclassified material. 1.4.18.2.2. (Added-AFSPC) Alternate destruction methods. Pulverizing or burning are also approved methods of destroying unclassified material. 1.4.18.2.3. (Added-AFSPC) Units have 1 year from the implementation of this supplement to comply with the above shred policy. 1.4.18.3. (Added-AFSPC) 100% Destruction of unclassified magnetic media. Dispose of unclassified magnetic media (video tapes, voice recordings, computer media, computer disk, ZIP disk, CD-R and RW, DVDs, flash drives, flash memory cards or sticks, hard drives internal or external, etc.) in accordance with Air Force System Security Instruction 5020, Remanance Security. 1.4.18.4. (Added-AFSPC) Use of government/personal cell phones in office/work areas. Personnel should refrain from using any non-secure cell phones in their respective office/work areas, since these wireless devices are more vulnerable to monitoring and exploitation. This will prevent our adversaries from obtaining any sensitive information routinely discussed in the work environment that can be heard in the background during phone calls. Use of non-secure cell phones in designated break areas, foyers, etc. is authorized. See Emission Security Information Message (ESIM) 05-01 and AFI33-203, Volume 3, Emission Security Countermeasures Reviews for policy details. 1.4.18.5. (Added-AFSPC) OPSEC Continuity Binders. All OPSEC Program Managers/Coordinators must maintain an OPSEC Continuity Binder. See Attachment 6 (Added) for correct layout and items it must include. Items may be maintained in electronic format as long as they are readily accessible upon demand. 1.4.18.6. (Added-AFSPC) AFSPC units will use Attachment 4 (Added) to determine maturity and robustness of their OPSEC program. This will assist HHQ in focusing limited resources towards improving subordinate unit programs. 1.4.18.7. (Added-AFSPC) When funding is available the MAJCOM Program Manager will facilitate and chair an annual MAJCOM OPSEC Symposium to address MAJCOM-wide OPSEC issues. 1.4.18.8. (Added-AFSPC) OPSEC plans need to be modified as applicable whenever any mission changes occur or current events dictate adjusting your procedures. Once an OPSEC plan has been approved, an annual review for currency is required by 01 October. Submit updated OPSEC plans to HQ AFSPC/A3DI within 14 days of any updates/changes or annually by 15 October. See Attachment 5 (Added) for categories that need to be addressed in the OPSEC plan. 1.4.18.9. (Added-AFSPC) OPSEC Vulnerabilities. If an OPSEC Vulnerability is discovered and can not be resolved locally or has a potential to affect other AFSPC units, the OPSEC PM/Coordinator can request HHQ assistance (via email, MFR etc). The suggested format should include appropriate classification, background information, description of vulnerability, action(s) taken to resolve the vulnerability and desired HHQ assistance.
14 AFI10-701_AFSPCSUP_I 17 MARCH 2008 Chapter 2 OPSEC PROCESS 2.1. General: 2.1.1. OPSEC is accomplished using a five-step process: 1) Identify critical information; 2) Analyze threats; 3) Analyze vulnerabilities; 4) Assess risk; and 5) Apply OPSEC measures. Although these steps are normally applied in a sequential manner during deliberate or crisis action planning, dynamic situations may require any step to be revisited at any time. 2.2. Identify Critical Information: 2.2.1. Critical information is specific facts about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively, so as to guarantee failure or unacceptable consequences for friendly mission accomplishment. OPSEC indicators are friendly detectable actions and open-source information that can be collected, interpreted or pieced together by an adversary to derive critical information. The product of the first step in the OPSEC process is a Critical Information List (CIL). 2.2.1.1. (Added-AFSPC) CILs need to be modified as applicable whenever any mission changes occur or current events dictate adjusting your procedures. CILs should only contain truly critical information and not become a laundry list of all mission processes. Keep CILs to one page if possible, but no more than two pages. Once a CIL has been approved, an annual review for currency is required by 01 October. Submit updated CILs to HHQ within 14 days of any updates/changes or annually by 15 October. See Attachment 8 (Added) for a partial list of Sources of OPSEC Indicators. 2.2.2. Critical information is best identified by the individuals responsible for the planning and execution of the unit s mission. An OWG or staff planning team can most effectively accomplish this task. Once a CIL is developed, commanders must approve the list and then ensure their critical information is protected and/or controlled. 2.2.3. Critical information and OPSEC indicators will be identified at the earliest stages of planning an operation or activity and continuously updated as necessary to support mission effectiveness. 2.3. Analyze Threats: 2.3.1. A threat is an adversary with the capability and intent to undertake any actions detrimental to the success of program activities or operations. 2.3.2. The primary sources to obtain threat information are your local intelligence and counterintelligence organizations. 2.3.3. Intelligence organizations analyze the threat through research of intelligence, counterintelligence, and open source information to identify who is likely to disrupt, deny, degrade, or destroy planned operations. 2.3.4. A threat assessment should identify adversaries, their goals, what they already know, their capability to collect OPSEC indicators and derive critical information, and potential courses of action.
AFI10-701_AFSPCSUP_I 17 MARCH 2008 15 2.4. Analyze Vulnerabilities: 2.4.1. An OPSEC vulnerability is a condition where friendly actions provide indicators that may be obtained and accurately evaluated by an adversary in time to provide a basis for effective adversary decision-making. The OWG or staff planning team must conduct the vulnerability analysis based on operational planning and current operating environment. 2.5. Assess Risk: 2.5.1. An OPSEC risk is a measure of the potential degree to which critical information and indicators are subject to loss through adversary exploitation. The OWG or staff planning team must conduct the OPSEC risk assessment and develop recommended OPSEC measures based on operational planning and current operating environment. A typical risk assessment will: 2.5.1.1. Compare vulnerabilities identified with the probability of an adversary being able to exploit it in time to be useful to determine a risk level. 2.5.1.2. Determine potential OPSEC measures to reduce vulnerabilities with the highest risk. The most desirable OPSEC measures are those that combine the highest possible protection with the least adverse effect on operational effectiveness. 2.6. Apply OPSEC Measures: 2.6.1. OPSEC measures are the methods and means to gain and maintain essential protection of critical information. OPSEC measures may be both offensive and defensive in nature. 2.6.2. Potential OPSEC measures, among other actions are, cover, concealment, camouflage, deception, intentional deviations from normal patterns, and direct strikes against adversary collection. 2.6.3. The OWG or staff planning team will submit recommended OPSEC measures for commander approval through the operational planning process for employment. 2.6.4. OPSEC measures must be synchronized with other components of IO to achieve synergies in efforts to influence the adversary s perceptions and situational awareness. Care must be taken so that OPSEC measures do not become unacceptable indicators themselves. 2.6.5. During the execution of OPSEC measures, the adversary s reaction to the measures is monitored, if possible, to provide feedback that can be used to assess effectiveness or determine potential unintended consequences.
16 AFI10-701_AFSPCSUP_I 17 MARCH 2008 Chapter 3 OPSEC PLANNING 3.1. General. This chapter provides direction for planners at wings and AOCs to integrate OPSEC into plans. Air Force forces can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed to the field conducting actual operations. OPSEC methodology provides systematic and comprehensive analysis designed to identify observable friendly actions that could betray intentions or capabilities. Therefore, OPSEC principles must be integrated into operational, support, exercise, and acquisition planning. All plans will be reviewed periodically to ensure currency and updated when required. 3.1.1. OPSEC PMs will assist unit planners to incorporate protection of critical information and indicators into supported OPLANS and supporting plans. They will also assist exercise planners in developing master scenario events listings (MSEL) and MOPs to train unit personnel in the application or execution of OPSEC measures (See AFDD 2, Operations and Organizations, for more information concerning MOPs and measures of effectiveness (MOE)s). 3.2. Operational Planning. OPSEC will be included in force presentation and deliberate and crisis action planning and execution segment (DCAPES) for the planning, deployment, employment, sustainment, redeployment and reconstitution of forces. DCAPES supports all phases of operations development and execution at the strategic, operational, and tactical levels. OPSEC will be included in all operational plans (OPLANs), concept plans (CONPLANs), functional plans (FUNCPLANs), and operation orders (OPORDS). Planners will use existing TTPs to develop Tab C to Appendix 3 to Annex C to the OPORD or OPLAN. The planning staff will identify critical information and OPSEC indicators from all functional areas requiring protection throughout each phase of the operation. Threat(s) and vulnerability assessments will be used to identify applicable OPSEC measures to mitigate any unacceptable operational risks. MOP and MOE will be developed for each OPSEC measure. 3.3. Support Planning. Integrate OPSEC into all wartime and contingency plans as well as support plans, i.e., programming plans (PPlans) and in-garrison expeditionary site plans (IGESPs). 3.4. Exercise Planning. In order to enhance combat readiness and improve crisis response, OPSEC will be included in all exercise plans (EXPLANs). Specific OPSEC scenarios will be included in the exercise MSELs with MOPs to assess the proficiency of functional planners to mitigate loss of critical information and unit personnel to execute OPSEC measures. Any deficiencies or best practices will be submitted to the AF lessons learned database (https://afknowledge.langley.af.mil/afcks/) and used to develop TIPs IAW AFI 10-204 and AFI 11-260. 3.4.1. OPSEC measures will also be employed during the exercise to minimize observation of sensitive training activities by adversary surveillance and treaty verification activities. 3.5. Acquisition Planning. OPSEC requirements will be determined for all acquisitions and contractor-supported efforts beginning with operational capabilities requirements generation and continues through design, development, test and evaluation, fielding, sustainment and system disposal. When required to protect sensitive military operations, commanders will ensure OPSEC requirements are added
AFI10-701_AFSPCSUP_I 17 MARCH 2008 17 to contracts. Commanders will evaluate contractor-developed and proposed OPSEC programs for compliance with required standards. NOTE: For more detailed planning instructions, refer to AFI 10-400 series publications.
18 AFI10-701_AFSPCSUP_I 17 MARCH 2008 Chapter 4 OPSEC AWARENESS EDUCATION AND TRAINING 4.1. General. All Air Force personnel (military and civilian) and contractors who have access to mission critical information require a general knowledge of threats, vulnerabilities and their responsibilities associated with protecting critical information. This is accomplished through initial and recurring annual OPSEC training. Standardized AF OPSEC awareness training located on the AF Advanced Distance Learning System (ADLS) is the baseline training required for all personnel. Unit specific training will be provided in addition to this training to ensure all personnel in the Air Force are aware of local threats, vulnerabilities and critical information unique to their duty assignment. OPSEC PMs, coordinators, and planners assigned to OPSEC positions require more in-depth training designed to ensure proper management, planning, and execution of organizational OPSEC programs. 4.2. All Personnel: 4.2.1. Awareness education will be provided to personnel upon initial entrance/accession into military service. 4.2.2. Awareness education provided in accession programs will encompass what OPSEC is, its purpose, threat awareness and the individual's role in protecting critical information. 4.2.3. Unit-specific initial OPSEC awareness training will be provided at each new duty location as part of in-processing and annually thereafter. Personnel must understand the scope of the threat, the nature of the vulnerability and their responsibility to execute OPSEC measures to protect critical information and unit specific OPSEC indicators. Annual training must include, at a minimum, updated threat and vulnerability information, changes to critical information and new procedures and/ or OPSEC measures implemented by the organization. 4.2.4. When government-provided OPSEC training is required by a contract, OPSEC PMs and/or OPSEC coordinators will provide OPSEC training or training materials to contract employees within 90 days of employees initial assignment to the contract. 4.2.5. Unit OPSEC coordinators will track initial and annual awareness training and report training initiatives in their annual OPSEC self-assessment reports to their respective HHQ OPSEC PM. Wing, MAJCOM, FOA, and DRU OPSEC PMs are responsible for the tracking of command/wing staff personnel training initiatives. 4.3. OPSEC Program Managers, Coordinators, and Planners: 4.3.1. OPSEC Orientation Training. Personnel assigned as an OPSEC PM, coordinator, planner, or vulnerability assessment team member are required to complete OPSEC orientation training. Once developed, approved and deployed, the Air Force s OPSEC orientation training course will be the primary method used to satisfy this requirement. Until then, the Interagency OPSEC Support Staff s (IOSS) OPSE-1301 CBT course is the accepted method for completing OPSEC orientation training. Additionally, OPSEC training can be received from HHQ OPSEC PM. Training must be completed within 30 days of assignment to OPSEC duties. 4.3.2. Formal OPSEC training. Formal OPSEC training is required for all OPSEC PMs, planners assigned to OPSEC positions and those who conduct formal OPSEC surveys.
AFI10-701_AFSPCSUP_I 17 MARCH 2008 19 4.3.2.1. Training must be completed within 90 days of appointment through the next available Air Force Signature Management Course; IOSS OPSE-2500, OPSEC Analysis and Program Management Course; or OPSEC-2400, DOD OPSEC Course. The Air Force course is the preferred method. 4.3.2.1.1. If training cannot be obtained within 90 days of appointment, units must submit a request for waiver to AF/A3O-CI, through their HHQ OPSEC PM justifying an extension to the 90 day requirement. Waivers must contain confirmation that individual is scheduled for next available training course. Because training of traditional AF Reservists and ANG personnel differs from active duty Air Force, traditional AF Reservist and ANG personnel will be granted automatic waivers. 4.3.2.2. Wing, center and installation commanders will program unit funds for training attendance, however MAJCOM Military Deception program managers may fund MAJCOM training quotas. Request for training will be submitted through the wing OPSEC PM to their respective HHQ OPSEC PM. 4.3.3. Mission Readiness Training (MRT). Personnel working in the AOC require MRT that encompasses initial qualification training (IQT), mission qualification training (MQT), and continuation training (CT). IQT will consist of formal training and mission specific on the job training. MQT will consist of mission specific training and will be documented via Stan/Eval processes. CT will be provided as needed. MRT will be accomplished during training exercises.
20 AFI10-701_AFSPCSUP_I 17 MARCH 2008 Chapter 5 OPSEC ASSESSMENTS 5.1. General: 5.1.1. Assessments are performed to achieve two specific purposes: to provide information and data into the OPSEC risk analysis process and to gauge the overall effectiveness of the program (See Table 5.1. for OPSEC assessment types). 5.1.2. The Air Force provides several tools to assist OPSEC PMs, coordinators, and planners to obtain information and data to perform risk analysis. These tools assist in assessing the level of exposure of critical information and operational indicators to adversary observation, surveillance, and intelligence sensors. OPSEC planners, PMs and coordinators use assessment results within the risk management process to determine protective measures which can mitigate or negate risk to operations. 5.1.3. Assessment of program effectiveness is accomplished through the development of MOP and MOE. MOPs are developed to assess the proficiency of unit personnel to protect critical information through the execution of OPSEC measures. Any deficiencies or best practices identified are documented in lessons learned and TIPs. IG inspections are also used to assess unit compliance, operational readiness, and nuclear surety. Submit TIPs IAW AFI 11-260. 5.1.4. OPSEC PMs will request external assessments via their respective HHQ OPSEC PMs. 5.1.5. MAJCOM OPSEC PMs are the focal point for requesting and scheduling all external assessments and setting all priorities between command organizations. 5.2. OPSEC Program Self-Assessment: 5.2.1. Self-assessments are continual processes that involve combining data collected from MOP, MOE, exercise after action reports (AARs), lessons learned, nuclear surety, operational readiness/ compliance inspections, and annually conducted self-assessments/self-inspections. This data is reported annually as a self-assessment report to the HHQ OPSEC PM and is outlined in Attachment 2. 5.2.2. OPSEC PMs and coordinators will conduct annual self-assessments to ensure the health of their program, evaluate compliance with applicable policies and to identify short-falls and vulnerabilities. Attachment 3 contains a sample self-assessment checklist that can be modified for specific unit/ activity needs. This data will be reported annually as outlined in Attachment 2. 5.3. Staff Assistance Visit (SAV): 5.3.1. SAVs may be conducted periodically by HHQ OPSEC PMs or other organization subject matter experts (SME) to assist units in repairing dormant, non-compliant, deficient programs or for any other reason deemed necessary by the commander. The unit will request such assistance through their respective chain-of-command and will fund travel. SAVs check for program compliance (i.e., Special Interest Items, Air Force Instructions, MAJCOM policies, etc.), identify and resolve shortfalls, and provide guidance to OPSEC PMs/coordinators as required. 5.4. Survey: